You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Julius Davies (JIRA)" <ji...@apache.org> on 2006/12/07 23:09:29 UTC

[jira] Commented: (HTTPCLIENT-613) https should check CN of x509 cert

    [ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456616 ] 
            
Julius Davies commented on HTTPCLIENT-613:
------------------------------------------

To account for a problem with IBM 1.4.x JVM's, I think we should also test against sslSocket.getSession() being null.  If it is null, we should try to get the socket to blowup by calling socket.getInputStream().available().

SSLSocket ssl = (SSLSocket) s;
SSLSession session = ssl.getSession();
if ( session == null ) {
    // In our experience this only happens under IBM 1.4.x.
    // hopefully this will unearth the real problem:
    ssl.getInputStream().available();
}

[Not sure how to deal with this 2nd patch.  Do I upload a new patch containing both fixes?  Sorry I'm such a newb!]

Here's some background info:

The IBM 1.4.x JVM, when acting as an SSL client, is quite picky about the certificate chain that the server presents.  If the server includes some stray certificates in the chain, IBM will blowup.

But it takes a little while to blowup:

SSLSocket s = factory.createSocket( host, port );

// okay, we're still okay

SSLSession session = s.getSession();

// still okay!  No exceptions thrown!   But session is null.  Uh oh.

InputStream in = s.getInputStream();

// Still no exceptions thrown!  Wow, IBM is a survivor.

in.available();

// ! * BOOM * !

javax.net.ssl.SSLHandshakeException: bad certificate
        at com.ibm.jsse.bv.a(Unknown Source)
        at com.ibm.jsse.a.a(Unknown Source)
        at com.ibm.jsse.a.available(Unknown Source)



> https should check CN of x509 cert
> ----------------------------------
>
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>
>         Attachments: SSLSocketFactory.patch
>
>
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking provided by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>
> Hopefully people agree that this is desirable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org